As we can see there's a bunch of ways you can ping the same IP. For a moment, I wondered if this was just how Ping worked. However, given that this works with OpenURL, I decided to try it with Cobalt Strike!

GitHub

I wrote a script that automatically outputs a set of known formats for the same IP address that you specify. Hopefully will be useful for some people!

Cobalt Strike

Although I rarely use IP addresses compared to hostnames when it comes to connecting to resources, we know for a fact that many threat actors do. In some cases you may want to resort to using IP addresses and this technique can add a bit of flavor to the mix.

To use this technique in Cobalt Strike, you simply create a listener like you normally would. Let's say my IP was 45.54.123.21, run IPFuscator as shown below:

ConEmu64_2018-05-19_19-48-55

You can immediately take this information and use any of these representations in your listener address. For example:
​

javaw_2018-05-19_19-51-36

Generate a payload as you would normally, and it all works fantastically!

You could even mix it up a bit:

javaw_2018-05-19_20-02-44

Cobalt Strike Aggressor Script

I actually wrote a Cobalt Strike Aggressor Script to automatically convert an IP that you can issue with the ping command that will convert and use ping with a hexadecimal equivalent IP. If you want to use this you can obtain this script in my Aggressor repository. This was released back in 2017.

Conclusion

IPFuscation is not an advanced technique. However, it can be used to:

potentially break regex rules for command line logging looking for IP addresses. Eg. when you issue a command such as ping 0055.0x0036.000173.0x0015